1 /* $OpenBSD: ip_spd.c,v 1.120 2024/04/17 20:48:51 bluhm Exp $ */
2 /*
3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
4 *
5 * Copyright (c) 2000-2001 Angelos D. Keromytis.
6 *
7 * Permission to use, copy, and modify this software with or without fee
8 * is hereby granted, provided that this entire notice is included in
9 * all copies of any software which is or includes a copy or
10 * modification of this software.
11 * You may use this code under the GNU public license if you so wish. Please
12 * contribute changes back to the authors under this freer than GPL license
13 * so that we may further the use of strong encryption without limitations to
14 * all.
15 *
16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
20 * PURPOSE.
21 */
22
23 #include <sys/param.h>
24 #include <sys/systm.h>
25 #include <sys/mbuf.h>
26 #include <sys/socket.h>
27 #include <sys/kernel.h>
28 #include <sys/socketvar.h>
29 #include <sys/pool.h>
30 #include <sys/timeout.h>
31
32 #include <net/route.h>
33 #include <net/netisr.h>
34
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
37 #include <netinet/ip_var.h>
38 #include <netinet/in_pcb.h>
39 #include <netinet/ip_ipsp.h>
40 #include <net/pfkeyv2.h>
41
42 int ipsp_spd_inp(struct mbuf *, const struct ipsec_level *,
43 struct ipsec_policy *, struct tdb **);
44 int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
45 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
46 int ipsp_pending_acquire(struct ipsec_policy *, union sockaddr_union *);
47 void ipsp_delete_acquire_timer(void *);
48 void ipsp_delete_acquire_locked(struct ipsec_acquire *);
49 void ipsp_delete_acquire(struct ipsec_acquire *);
50 void ipsp_unref_acquire_locked(struct ipsec_acquire *);
51
52 struct pool ipsec_policy_pool;
53 struct pool ipsec_acquire_pool;
54
55 /*
56 * For tdb_walk() calling tdb_delete_locked() we need lock order
57 * tdb_sadb_mtx before ipo_tdb_mtx.
58 */
59 struct mutex ipo_tdb_mtx = MUTEX_INITIALIZER(IPL_SOFTNET);
60
61 /* Protected by the NET_LOCK(). */
62 struct radix_node_head **spd_tables;
63 unsigned int spd_table_max;
64
65 struct mutex ipsec_acquire_mtx = MUTEX_INITIALIZER(IPL_SOFTNET);
66 struct ipsec_acquire_head ipsec_acquire_head =
67 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head);
68
69 struct radix_node_head *
spd_table_get(unsigned int rtableid)70 spd_table_get(unsigned int rtableid)
71 {
72 unsigned int rdomain;
73
74 NET_ASSERT_LOCKED();
75
76 if (spd_tables == NULL)
77 return (NULL);
78
79 rdomain = rtable_l2(rtableid);
80 if (rdomain > spd_table_max)
81 return (NULL);
82
83 return (spd_tables[rdomain]);
84 }
85
86 struct radix_node_head *
spd_table_add(unsigned int rtableid)87 spd_table_add(unsigned int rtableid)
88 {
89 struct radix_node_head *rnh = NULL;
90 unsigned int rdomain;
91 void *p;
92
93 NET_ASSERT_LOCKED_EXCLUSIVE();
94
95 rdomain = rtable_l2(rtableid);
96 if (spd_tables == NULL || rdomain > spd_table_max) {
97 if ((p = mallocarray(rdomain + 1, sizeof(*rnh),
98 M_RTABLE, M_NOWAIT|M_ZERO)) == NULL)
99 return (NULL);
100
101 if (spd_tables != NULL) {
102 memcpy(p, spd_tables, sizeof(*rnh) * (spd_table_max+1));
103 free(spd_tables, M_RTABLE,
104 sizeof(*rnh) * (spd_table_max+1));
105 }
106 spd_tables = p;
107 spd_table_max = rdomain;
108 }
109
110 if (spd_tables[rdomain] == NULL) {
111 if (rn_inithead((void **)&rnh,
112 offsetof(struct sockaddr_encap, sen_type)) == 0)
113 rnh = NULL;
114 spd_tables[rdomain] = rnh;
115 }
116
117 return (spd_tables[rdomain]);
118 }
119
120 int
spd_table_walk(unsigned int rtableid,int (* func)(struct ipsec_policy *,void *,unsigned int),void * arg)121 spd_table_walk(unsigned int rtableid,
122 int (*func)(struct ipsec_policy *, void *, unsigned int), void *arg)
123 {
124 struct radix_node_head *rnh;
125 int (*walker)(struct radix_node *, void *, u_int) = (void *)func;
126 int error;
127
128 rnh = spd_table_get(rtableid);
129 if (rnh == NULL)
130 return (0);
131
132 /* EGAIN means the tree changed. */
133 while ((error = rn_walktree(rnh, walker, arg)) == EAGAIN)
134 continue;
135
136 return (error);
137 }
138
139 /*
140 * Lookup at the SPD based on the headers contained on the mbuf. The second
141 * argument indicates what protocol family the header at the beginning of
142 * the mbuf is. hlen is the offset of the transport protocol header
143 * in the mbuf.
144 *
145 * Return combinations (of return value and *tdbout):
146 * - -EINVAL -> silently drop the packet
147 * - errno -> drop packet and return error
148 * - 0/NULL -> no IPsec required on packet
149 * - 0/TDB -> do IPsec
150 *
151 * In the case of incoming flows, only the first three combinations are
152 * returned.
153 */
154 int
ipsp_spd_lookup(struct mbuf * m,int af,int hlen,int direction,struct tdb * tdbin,const struct ipsec_level * seclevel,struct tdb ** tdbout,struct ipsec_ids * ipsecflowinfo_ids)155 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
156 struct tdb *tdbin, const struct ipsec_level *seclevel, struct tdb **tdbout,
157 struct ipsec_ids *ipsecflowinfo_ids)
158 {
159 struct radix_node_head *rnh;
160 struct radix_node *rn;
161 union sockaddr_union sdst, ssrc;
162 struct sockaddr_encap *ddst, dst;
163 struct ipsec_policy *ipo;
164 struct ipsec_ids *ids = NULL;
165 int error, signore = 0, dignore = 0;
166 u_int rdomain;
167
168 NET_ASSERT_LOCKED();
169
170 /*
171 * If there are no flows in place, there's no point
172 * continuing with the SPD lookup.
173 */
174 if (!ipsec_in_use)
175 return ipsp_spd_inp(m, seclevel, NULL, tdbout);
176
177 /*
178 * If an input packet is destined to a BYPASS socket, just accept it.
179 */
180 if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
181 (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
182 (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
183 (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
184 if (tdbout != NULL)
185 *tdbout = NULL;
186 return 0;
187 }
188
189 memset(&dst, 0, sizeof(dst));
190 memset(&sdst, 0, sizeof(union sockaddr_union));
191 memset(&ssrc, 0, sizeof(union sockaddr_union));
192 ddst = (struct sockaddr_encap *)&dst;
193 ddst->sen_family = PF_KEY;
194 ddst->sen_len = SENT_LEN;
195
196 switch (af) {
197 case AF_INET:
198 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen)
199 return EINVAL;
200
201 ddst->sen_direction = direction;
202 ddst->sen_type = SENT_IP4;
203
204 m_copydata(m, offsetof(struct ip, ip_src),
205 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src));
206 m_copydata(m, offsetof(struct ip, ip_dst),
207 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst));
208 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t),
209 (caddr_t) &(ddst->sen_proto));
210
211 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET;
212 sdst.sin.sin_len = ssrc.sin.sin_len =
213 sizeof(struct sockaddr_in);
214 ssrc.sin.sin_addr = ddst->sen_ip_src;
215 sdst.sin.sin_addr = ddst->sen_ip_dst;
216
217 /*
218 * If TCP/UDP, extract the port numbers to use in the lookup.
219 */
220 switch (ddst->sen_proto) {
221 case IPPROTO_UDP:
222 case IPPROTO_TCP:
223 /* Make sure there's enough data in the packet. */
224 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t))
225 return EINVAL;
226
227 /*
228 * Luckily, the offset of the src/dst ports in
229 * both the UDP and TCP headers is the same (first
230 * two 16-bit values in the respective headers),
231 * so we can just copy them.
232 */
233 m_copydata(m, hlen, sizeof(u_int16_t),
234 (caddr_t) &(ddst->sen_sport));
235 m_copydata(m, hlen + sizeof(u_int16_t),
236 sizeof(u_int16_t),
237 (caddr_t) &(ddst->sen_dport));
238 break;
239
240 default:
241 ddst->sen_sport = 0;
242 ddst->sen_dport = 0;
243 }
244
245 break;
246
247 #ifdef INET6
248 case AF_INET6:
249 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen)
250 return EINVAL;
251
252 ddst->sen_type = SENT_IP6;
253 ddst->sen_ip6_direction = direction;
254
255 m_copydata(m, offsetof(struct ip6_hdr, ip6_src),
256 sizeof(struct in6_addr),
257 (caddr_t) &(ddst->sen_ip6_src));
258 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
259 sizeof(struct in6_addr),
260 (caddr_t) &(ddst->sen_ip6_dst));
261 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt),
262 sizeof(u_int8_t),
263 (caddr_t) &(ddst->sen_ip6_proto));
264
265 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6;
266 sdst.sin6.sin6_len = ssrc.sin6.sin6_len =
267 sizeof(struct sockaddr_in6);
268 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src);
269 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst);
270
271 /*
272 * If TCP/UDP, extract the port numbers to use in the lookup.
273 */
274 switch (ddst->sen_ip6_proto) {
275 case IPPROTO_UDP:
276 case IPPROTO_TCP:
277 /* Make sure there's enough data in the packet. */
278 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t))
279 return EINVAL;
280
281 /*
282 * Luckily, the offset of the src/dst ports in
283 * both the UDP and TCP headers is the same
284 * (first two 16-bit values in the respective
285 * headers), so we can just copy them.
286 */
287 m_copydata(m, hlen, sizeof(u_int16_t),
288 (caddr_t) &(ddst->sen_ip6_sport));
289 m_copydata(m, hlen + sizeof(u_int16_t),
290 sizeof(u_int16_t),
291 (caddr_t) &(ddst->sen_ip6_dport));
292 break;
293
294 default:
295 ddst->sen_ip6_sport = 0;
296 ddst->sen_ip6_dport = 0;
297 }
298
299 break;
300 #endif /* INET6 */
301
302 default:
303 return EAFNOSUPPORT;
304 }
305
306 /* Actual SPD lookup. */
307 rdomain = rtable_l2(m->m_pkthdr.ph_rtableid);
308 if ((rnh = spd_table_get(rdomain)) == NULL ||
309 (rn = rn_match((caddr_t)&dst, rnh)) == NULL) {
310 /*
311 * Return whatever the socket requirements are, there are no
312 * system-wide policies.
313 */
314 return ipsp_spd_inp(m, seclevel, NULL, tdbout);
315 }
316 ipo = (struct ipsec_policy *)rn;
317
318 switch (ipo->ipo_type) {
319 case IPSP_PERMIT:
320 return ipsp_spd_inp(m, seclevel, ipo, tdbout);
321
322 case IPSP_DENY:
323 return EHOSTUNREACH;
324
325 case IPSP_IPSEC_USE:
326 case IPSP_IPSEC_ACQUIRE:
327 case IPSP_IPSEC_REQUIRE:
328 case IPSP_IPSEC_DONTACQ:
329 /* Nothing more needed here. */
330 break;
331
332 default:
333 return EINVAL;
334 }
335
336 /* Check for non-specific destination in the policy. */
337 switch (ipo->ipo_dst.sa.sa_family) {
338 case AF_INET:
339 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) ||
340 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST))
341 dignore = 1;
342 break;
343
344 #ifdef INET6
345 case AF_INET6:
346 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) ||
347 (memcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128,
348 sizeof(in6mask128)) == 0))
349 dignore = 1;
350 break;
351 #endif /* INET6 */
352 }
353
354 /* Likewise for source. */
355 switch (ipo->ipo_src.sa.sa_family) {
356 case AF_INET:
357 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY)
358 signore = 1;
359 break;
360
361 #ifdef INET6
362 case AF_INET6:
363 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr))
364 signore = 1;
365 break;
366 #endif /* INET6 */
367 }
368
369 /* Do we have a cached entry ? If so, check if it's still valid. */
370 mtx_enter(&ipo_tdb_mtx);
371 if (ipo->ipo_tdb != NULL &&
372 (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) {
373 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo,
374 ipo_tdb_next);
375 tdb_unref(ipo->ipo_tdb);
376 ipo->ipo_tdb = NULL;
377 }
378 mtx_leave(&ipo_tdb_mtx);
379
380 /* Outgoing packet policy check. */
381 if (direction == IPSP_DIRECTION_OUT) {
382 /*
383 * If the packet is destined for the policy-specified
384 * gateway/endhost, and the socket has the BYPASS
385 * option set, skip IPsec processing.
386 */
387 if ((seclevel != NULL) &&
388 (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
389 (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
390 (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
391 /* Direct match. */
392 if (dignore ||
393 !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
394 if (tdbout != NULL)
395 *tdbout = NULL;
396 return 0;
397 }
398 }
399
400 /* Check that the cached TDB (if present), is appropriate. */
401 mtx_enter(&ipo_tdb_mtx);
402 if (ipo->ipo_tdb != NULL) {
403 if ((ipo->ipo_last_searched <= ipsec_last_added) ||
404 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) ||
405 memcmp(dignore ? &sdst : &ipo->ipo_dst,
406 &ipo->ipo_tdb->tdb_dst,
407 ipo->ipo_tdb->tdb_dst.sa.sa_len))
408 goto nomatchout;
409
410 if (!ipsp_aux_match(ipo->ipo_tdb,
411 ipsecflowinfo_ids? ipsecflowinfo_ids: ipo->ipo_ids,
412 &ipo->ipo_addr, &ipo->ipo_mask))
413 goto nomatchout;
414
415 /* Cached entry is good. */
416 error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
417 mtx_leave(&ipo_tdb_mtx);
418 return error;
419
420 nomatchout:
421 /* Cached TDB was not good. */
422 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo,
423 ipo_tdb_next);
424 tdb_unref(ipo->ipo_tdb);
425 ipo->ipo_tdb = NULL;
426 ipo->ipo_last_searched = 0;
427 }
428
429 /*
430 * If no SA has been added since the last time we did a
431 * lookup, there's no point searching for one. However, if the
432 * destination gateway is left unspecified (or is all-1's),
433 * always lookup since this is a generic-match rule
434 * (otherwise, we can have situations where SAs to some
435 * destinations exist but are not used, possibly leading to an
436 * explosion in the number of acquired SAs).
437 */
438 if (ipo->ipo_last_searched <= ipsec_last_added) {
439 struct tdb *tdbp_new;
440
441 /* "Touch" the entry. */
442 if (dignore == 0)
443 ipo->ipo_last_searched = getuptime();
444
445 /* gettdb() takes tdb_sadb_mtx, preserve lock order */
446 mtx_leave(&ipo_tdb_mtx);
447 /* Find an appropriate SA from the existing ones. */
448 tdbp_new = gettdbbydst(rdomain,
449 dignore ? &sdst : &ipo->ipo_dst,
450 ipo->ipo_sproto,
451 ipsecflowinfo_ids? ipsecflowinfo_ids: ipo->ipo_ids,
452 &ipo->ipo_addr, &ipo->ipo_mask);
453 ids = NULL;
454 mtx_enter(&ipo_tdb_mtx);
455 if ((tdbp_new != NULL) &&
456 (tdbp_new->tdb_flags & TDBF_DELETED)) {
457 /*
458 * After tdb_delete() has released ipo_tdb_mtx
459 * in tdb_unlink(), never add a new one.
460 * tdb_cleanspd() has to catch all of them.
461 */
462 tdb_unref(tdbp_new);
463 tdbp_new = NULL;
464 }
465 if (ipo->ipo_tdb != NULL) {
466 /* Remove cached TDB from parallel thread. */
467 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head,
468 ipo, ipo_tdb_next);
469 tdb_unref(ipo->ipo_tdb);
470 }
471 ipo->ipo_tdb = tdbp_new;
472 if (ipo->ipo_tdb != NULL) {
473 /* gettdbbydst() has already refcounted tdb */
474 TAILQ_INSERT_TAIL(
475 &ipo->ipo_tdb->tdb_policy_head,
476 ipo, ipo_tdb_next);
477 error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
478 mtx_leave(&ipo_tdb_mtx);
479 return error;
480 }
481 }
482 mtx_leave(&ipo_tdb_mtx);
483
484 /* So, we don't have an SA -- just a policy. */
485 switch (ipo->ipo_type) {
486 case IPSP_IPSEC_REQUIRE:
487 /* Acquire SA through key management. */
488 if (ipsp_acquire_sa(ipo,
489 dignore ? &sdst : &ipo->ipo_dst,
490 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) {
491 return EACCES;
492 }
493
494 /* FALLTHROUGH */
495 case IPSP_IPSEC_DONTACQ:
496 return -EINVAL; /* Silently drop packet. */
497
498 case IPSP_IPSEC_ACQUIRE:
499 /* Acquire SA through key management. */
500 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst,
501 signore ? NULL : &ipo->ipo_src, ddst, NULL);
502
503 /* FALLTHROUGH */
504 case IPSP_IPSEC_USE:
505 return ipsp_spd_inp(m, seclevel, ipo, tdbout);
506 }
507 } else { /* IPSP_DIRECTION_IN */
508 if (tdbin != NULL) {
509 /*
510 * Special case for bundled IPcomp/ESP SAs:
511 * 1) only IPcomp flows are loaded into kernel
512 * 2) input processing processes ESP SA first
513 * 3) then optional IPcomp processing happens
514 * 4) we only update m_tag for ESP
515 * => 'tdbin' is always set to ESP SA
516 * => flow has ipo_proto for IPcomp
517 * So if 'tdbin' points to an ESP SA and this 'tdbin' is
518 * bundled with an IPcomp SA, then we replace 'tdbin'
519 * with the IPcomp SA at tdbin->tdb_inext.
520 */
521 if (ipo->ipo_sproto == IPPROTO_IPCOMP &&
522 tdbin->tdb_sproto == IPPROTO_ESP &&
523 tdbin->tdb_inext != NULL &&
524 tdbin->tdb_inext->tdb_sproto == IPPROTO_IPCOMP)
525 tdbin = tdbin->tdb_inext;
526
527 /* Direct match in the cache. */
528 mtx_enter(&ipo_tdb_mtx);
529 if (ipo->ipo_tdb == tdbin) {
530 error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
531 mtx_leave(&ipo_tdb_mtx);
532 return error;
533 }
534 mtx_leave(&ipo_tdb_mtx);
535
536 if (memcmp(dignore ? &ssrc : &ipo->ipo_dst,
537 &tdbin->tdb_src, tdbin->tdb_src.sa.sa_len) ||
538 (ipo->ipo_sproto != tdbin->tdb_sproto))
539 goto nomatchin;
540
541 /* Match source/dest IDs. */
542 if (ipo->ipo_ids)
543 if (tdbin->tdb_ids == NULL ||
544 !ipsp_ids_match(ipo->ipo_ids,
545 tdbin->tdb_ids))
546 goto nomatchin;
547
548 /* Add it to the cache. */
549 mtx_enter(&ipo_tdb_mtx);
550 if (ipo->ipo_tdb != NULL) {
551 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head,
552 ipo, ipo_tdb_next);
553 tdb_unref(ipo->ipo_tdb);
554 }
555 ipo->ipo_tdb = tdb_ref(tdbin);
556 TAILQ_INSERT_TAIL(&tdbin->tdb_policy_head, ipo,
557 ipo_tdb_next);
558 error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
559 mtx_leave(&ipo_tdb_mtx);
560 return error;
561
562 nomatchin: /* Nothing needed here, falling through */
563 ;
564 }
565
566 /* Check whether cached entry applies. */
567 mtx_enter(&ipo_tdb_mtx);
568 if (ipo->ipo_tdb != NULL) {
569 /*
570 * We only need to check that the correct
571 * security protocol and security gateway are
572 * set; IDs will be the same since the cached
573 * entry is linked on this policy.
574 */
575 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto &&
576 !memcmp(&ipo->ipo_tdb->tdb_src,
577 dignore ? &ssrc : &ipo->ipo_dst,
578 ipo->ipo_tdb->tdb_src.sa.sa_len))
579 goto skipinputsearch;
580
581 /* Not applicable, unlink. */
582 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo,
583 ipo_tdb_next);
584 tdb_unref(ipo->ipo_tdb);
585 ipo->ipo_tdb = NULL;
586 ipo->ipo_last_searched = 0;
587 }
588
589 /* Find whether there exists an appropriate SA. */
590 if (ipo->ipo_last_searched <= ipsec_last_added) {
591 struct tdb *tdbp_new;
592
593 if (dignore == 0)
594 ipo->ipo_last_searched = getuptime();
595
596 /* gettdb() takes tdb_sadb_mtx, preserve lock order */
597 mtx_leave(&ipo_tdb_mtx);
598 tdbp_new = gettdbbysrc(rdomain,
599 dignore ? &ssrc : &ipo->ipo_dst,
600 ipo->ipo_sproto, ipo->ipo_ids,
601 &ipo->ipo_addr, &ipo->ipo_mask);
602 mtx_enter(&ipo_tdb_mtx);
603 if ((tdbp_new != NULL) &&
604 (tdbp_new->tdb_flags & TDBF_DELETED)) {
605 /*
606 * After tdb_delete() has released ipo_tdb_mtx
607 * in tdb_unlink(), never add a new one.
608 * tdb_cleanspd() has to catch all of them.
609 */
610 tdb_unref(tdbp_new);
611 tdbp_new = NULL;
612 }
613 if (ipo->ipo_tdb != NULL) {
614 /* Remove cached TDB from parallel thread. */
615 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head,
616 ipo, ipo_tdb_next);
617 tdb_unref(ipo->ipo_tdb);
618 }
619 ipo->ipo_tdb = tdbp_new;
620 if (ipo->ipo_tdb != NULL) {
621 /* gettdbbysrc() has already refcounted tdb */
622 TAILQ_INSERT_TAIL(
623 &ipo->ipo_tdb->tdb_policy_head,
624 ipo, ipo_tdb_next);
625 }
626 }
627 skipinputsearch:
628 mtx_leave(&ipo_tdb_mtx);
629
630 switch (ipo->ipo_type) {
631 case IPSP_IPSEC_REQUIRE:
632 /* If appropriate SA exists, don't acquire another. */
633 if (ipo->ipo_tdb != NULL)
634 return -EINVAL; /* Silently drop packet. */
635
636 /* Acquire SA through key management. */
637 if ((error = ipsp_acquire_sa(ipo,
638 dignore ? &ssrc : &ipo->ipo_dst,
639 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0)
640 return error;
641
642 /* FALLTHROUGH */
643 case IPSP_IPSEC_DONTACQ:
644 return -EINVAL; /* Silently drop packet. */
645
646 case IPSP_IPSEC_ACQUIRE:
647 /* If appropriate SA exists, don't acquire another. */
648 if (ipo->ipo_tdb != NULL)
649 return ipsp_spd_inp(m, seclevel, ipo, tdbout);
650
651 /* Acquire SA through key management. */
652 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst,
653 signore ? NULL : &ipo->ipo_src, ddst, NULL);
654
655 /* FALLTHROUGH */
656 case IPSP_IPSEC_USE:
657 return ipsp_spd_inp(m, seclevel, ipo, tdbout);
658 }
659 }
660
661 /* Shouldn't ever get this far. */
662 return EINVAL;
663 }
664
665 /*
666 * Delete a policy from the SPD.
667 */
668 int
ipsec_delete_policy(struct ipsec_policy * ipo)669 ipsec_delete_policy(struct ipsec_policy *ipo)
670 {
671 struct ipsec_acquire *ipa;
672 struct radix_node_head *rnh;
673 struct radix_node *rn = (struct radix_node *)ipo;
674
675 NET_ASSERT_LOCKED_EXCLUSIVE();
676
677 if (refcnt_rele(&ipo->ipo_refcnt) == 0)
678 return 0;
679
680 /* Delete from SPD. */
681 if ((rnh = spd_table_get(ipo->ipo_rdomain)) == NULL ||
682 rn_delete(&ipo->ipo_addr, &ipo->ipo_mask, rnh, rn) == NULL)
683 return (ESRCH);
684
685 mtx_enter(&ipo_tdb_mtx);
686 if (ipo->ipo_tdb != NULL) {
687 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo,
688 ipo_tdb_next);
689 tdb_unref(ipo->ipo_tdb);
690 ipo->ipo_tdb = NULL;
691 }
692 mtx_leave(&ipo_tdb_mtx);
693
694 mtx_enter(&ipsec_acquire_mtx);
695 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL)
696 ipsp_delete_acquire_locked(ipa);
697 mtx_leave(&ipsec_acquire_mtx);
698
699 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list);
700
701 if (ipo->ipo_ids)
702 ipsp_ids_free(ipo->ipo_ids);
703
704 ipsec_in_use--;
705
706 pool_put(&ipsec_policy_pool, ipo);
707
708 return 0;
709 }
710
711 void
ipsp_delete_acquire_timer(void * v)712 ipsp_delete_acquire_timer(void *v)
713 {
714 struct ipsec_acquire *ipa = v;
715
716 mtx_enter(&ipsec_acquire_mtx);
717 refcnt_rele(&ipa->ipa_refcnt);
718 ipsp_delete_acquire_locked(ipa);
719 mtx_leave(&ipsec_acquire_mtx);
720 }
721
722 /*
723 * Delete a pending IPsec acquire record.
724 */
725 void
ipsp_delete_acquire(struct ipsec_acquire * ipa)726 ipsp_delete_acquire(struct ipsec_acquire *ipa)
727 {
728 mtx_enter(&ipsec_acquire_mtx);
729 ipsp_delete_acquire_locked(ipa);
730 mtx_leave(&ipsec_acquire_mtx);
731 }
732
733 void
ipsp_delete_acquire_locked(struct ipsec_acquire * ipa)734 ipsp_delete_acquire_locked(struct ipsec_acquire *ipa)
735 {
736 if (timeout_del(&ipa->ipa_timeout) == 1)
737 refcnt_rele(&ipa->ipa_refcnt);
738 ipsp_unref_acquire_locked(ipa);
739 }
740
741 void
ipsec_unref_acquire(struct ipsec_acquire * ipa)742 ipsec_unref_acquire(struct ipsec_acquire *ipa)
743 {
744 mtx_enter(&ipsec_acquire_mtx);
745 ipsp_unref_acquire_locked(ipa);
746 mtx_leave(&ipsec_acquire_mtx);
747 }
748
749 void
ipsp_unref_acquire_locked(struct ipsec_acquire * ipa)750 ipsp_unref_acquire_locked(struct ipsec_acquire *ipa)
751 {
752 MUTEX_ASSERT_LOCKED(&ipsec_acquire_mtx);
753
754 if (refcnt_rele(&ipa->ipa_refcnt) == 0)
755 return;
756 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next);
757 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, ipa_ipo_next);
758 ipa->ipa_policy = NULL;
759
760 pool_put(&ipsec_acquire_pool, ipa);
761 }
762
763 /*
764 * Find out if there's an ACQUIRE pending.
765 * XXX Need a better structure.
766 */
767 int
ipsp_pending_acquire(struct ipsec_policy * ipo,union sockaddr_union * gw)768 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw)
769 {
770 struct ipsec_acquire *ipa;
771
772 NET_ASSERT_LOCKED();
773
774 mtx_enter(&ipsec_acquire_mtx);
775 TAILQ_FOREACH(ipa, &ipo->ipo_acquires, ipa_ipo_next) {
776 if (!memcmp(gw, &ipa->ipa_addr, gw->sa.sa_len))
777 break;
778 }
779 mtx_leave(&ipsec_acquire_mtx);
780
781 return (ipa != NULL);
782 }
783
784 /*
785 * Signal key management that we need an SA.
786 * XXX For outgoing policies, we could try to hold on to the mbuf.
787 */
788 int
ipsp_acquire_sa(struct ipsec_policy * ipo,union sockaddr_union * gw,union sockaddr_union * laddr,struct sockaddr_encap * ddst,struct mbuf * m)789 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
790 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m)
791 {
792 struct ipsec_acquire *ipa;
793
794 NET_ASSERT_LOCKED();
795
796 /* Check whether request has been made already. */
797 if (ipsp_pending_acquire(ipo, gw))
798 return 0;
799
800 /* Add request in cache and proceed. */
801 ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO);
802 if (ipa == NULL)
803 return ENOMEM;
804
805 ipa->ipa_addr = *gw;
806
807 refcnt_init(&ipa->ipa_refcnt);
808 timeout_set(&ipa->ipa_timeout, ipsp_delete_acquire_timer, ipa);
809
810 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN;
811 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY;
812
813 /* Just copy the right information. */
814 switch (ipo->ipo_addr.sen_type) {
815 case SENT_IP4:
816 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4;
817 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction;
818 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction;
819
820 if (ipsp_is_unspecified(ipo->ipo_dst)) {
821 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src;
822 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST;
823
824 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst;
825 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST;
826 } else {
827 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src;
828 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src;
829
830 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst;
831 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst;
832 }
833
834 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto;
835 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto;
836
837 if (ipo->ipo_addr.sen_proto) {
838 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport;
839 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport;
840
841 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport;
842 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport;
843 }
844 break;
845
846 #ifdef INET6
847 case SENT_IP6:
848 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6;
849 ipa->ipa_info.sen_ip6_direction =
850 ipo->ipo_addr.sen_ip6_direction;
851 ipa->ipa_mask.sen_ip6_direction =
852 ipo->ipo_mask.sen_ip6_direction;
853
854 if (ipsp_is_unspecified(ipo->ipo_dst)) {
855 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src;
856 ipa->ipa_mask.sen_ip6_src = in6mask128;
857
858 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst;
859 ipa->ipa_mask.sen_ip6_dst = in6mask128;
860 } else {
861 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src;
862 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src;
863
864 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst;
865 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst;
866 }
867
868 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto;
869 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto;
870
871 if (ipo->ipo_mask.sen_ip6_proto) {
872 ipa->ipa_info.sen_ip6_sport =
873 ipo->ipo_addr.sen_ip6_sport;
874 ipa->ipa_mask.sen_ip6_sport =
875 ipo->ipo_mask.sen_ip6_sport;
876 ipa->ipa_info.sen_ip6_dport =
877 ipo->ipo_addr.sen_ip6_dport;
878 ipa->ipa_mask.sen_ip6_dport =
879 ipo->ipo_mask.sen_ip6_dport;
880 }
881 break;
882 #endif /* INET6 */
883
884 default:
885 pool_put(&ipsec_acquire_pool, ipa);
886 return 0;
887 }
888
889 mtx_enter(&ipsec_acquire_mtx);
890 #ifdef IPSEC
891 if (timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire) == 1)
892 refcnt_take(&ipa->ipa_refcnt);
893 #endif
894 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next);
895 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next);
896 ipa->ipa_policy = ipo;
897 mtx_leave(&ipsec_acquire_mtx);
898
899 /* PF_KEYv2 notification message. */
900 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst);
901 }
902
903 /*
904 * Deal with PCB security requirements.
905 */
906 int
ipsp_spd_inp(struct mbuf * m,const struct ipsec_level * seclevel,struct ipsec_policy * ipo,struct tdb ** tdbout)907 ipsp_spd_inp(struct mbuf *m, const struct ipsec_level *seclevel,
908 struct ipsec_policy *ipo, struct tdb **tdbout)
909 {
910 /* Sanity check. */
911 if (seclevel == NULL)
912 goto justreturn;
913
914 /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
915
916 if (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS &&
917 seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS &&
918 seclevel->sl_auth == IPSEC_LEVEL_BYPASS)
919 goto justreturn;
920
921 if (seclevel->sl_esp_trans == IPSEC_LEVEL_AVAIL &&
922 seclevel->sl_esp_network == IPSEC_LEVEL_AVAIL &&
923 seclevel->sl_auth == IPSEC_LEVEL_AVAIL)
924 goto justreturn;
925
926 return -EINVAL; /* Silently drop packet. */
927
928 justreturn:
929 if (tdbout != NULL) {
930 if (ipo != NULL)
931 *tdbout = tdb_ref(ipo->ipo_tdb);
932 else
933 *tdbout = NULL;
934 }
935 return 0;
936 }
937
938 /*
939 * Find a pending ACQUIRE record based on its sequence number.
940 * XXX Need to use a better data structure.
941 */
942 struct ipsec_acquire *
ipsec_get_acquire(u_int32_t seq)943 ipsec_get_acquire(u_int32_t seq)
944 {
945 struct ipsec_acquire *ipa;
946
947 NET_ASSERT_LOCKED();
948
949 mtx_enter(&ipsec_acquire_mtx);
950 TAILQ_FOREACH(ipa, &ipsec_acquire_head, ipa_next) {
951 if (ipa->ipa_seq == seq) {
952 refcnt_take(&ipa->ipa_refcnt);
953 break;
954 }
955 }
956 mtx_leave(&ipsec_acquire_mtx);
957
958 return ipa;
959 }
960